43 How do I know if a product is evaluated? (Computer Security Evaluation)
Description
This article is from the Computer Security Evaluation FAQ, by Trusted Product Evaluation Program TPEP@dockmaster.ncsc.mil.
43 How do I know if a product is evaluated? (Computer Security Evaluation)
The simplest way to find out if a product is not evaluated is
to ask the product vendor. If the vendor has an evaluated
product, it is a pretty good bet that the company marketing
people are aware of it. Many products that have NOT been
evaluated have names containing a rating or have declared
themselves as "designed to meet" a specific rating. These products
have not withstood the same scrutiny as products listed on the EPL.
If a vendor claims to have an evaluated product, you should
independently verify the details of the evaluation (e.g.,
product version, configuration, rating.) All evaluated products
are placed on the Evaluated Products List (EPL) (see Section V,
Question 6). That is the first place to look. The EPL entries
that have been awarded within the last three years are available
at <http://www.radium.ncsc.mil/tpep/epl/>. To verify a specific
detail (e.g., the rating) of an evaluation, you may call the Trusted
Product Evaluation Program (TPEP) directly at (410) 859-4458 This
will often result in less complete information since generally we
don't read entire EPL entries over the phone.
For the most complete information about a specific evaluated
product, you should request a copy of the evaluation report.
(see Section V, Question 7) Unfortunately, the publication of
the report sometimes postdates the evaluation significantly.
An increasing number of final evaluation reports are available
via links from the product's electronic EPL entry or from
<http://www.radium.ncsc.mil/tpep/library/fers/> by report number.
Continue to:
My Books
